LynQX, Inc. (“LynQX,” “we,” “us”) takes data protection seriously because life sciences demands it. This policy explains what we collect, why, where it’s stored, who can see it, and what rights you have. This is a plain-English overview; specific obligations are defined in our Terms of Service and our Data Processing Addendum (DPA), available on request to legal@lynqx.com.
1. What we collect
- Account data — name, email, role/persona, organization affiliation, and (where applicable) a Supabase Auth identifier. Provided when you sign up.
- Profile data for experts — credentials (e.g. NPI, ORCID), publications, patents, trial roles, capability statements. Pulled from public sources or supplied by you.
- Engagement data — needs you express, projects you create or apply to, messages, scheduled meetings, contracts, invoices, milestones.
- Usage data — page views, feature usage, anonymized agent telemetry.
- PHI — only collected in HIPAA-mode workspaces, only when explicitly flagged, and only with a signed BAA.
2. How we use it
- Operate the marketplace: matching, verification, scheduling, billing, audit.
- Improve the agents — but never train third-party models on customer data.
- Comply with regulatory obligations (debarment screening, audit retention, etc.).
- Send transactional notifications and (with consent) product updates.
3. Where data lives
Postgres + pgvector (Supabase, US-East primary; EU-West for residency-tagged tenants), Neo4j (managed), object storage in Cloudflare R2 / AWS S3, notification routing in Knock. Each vendor signs a Data Processing Addendum.
4. Sharing
We share your data only with: (a) sub-processors required to operate the service (Supabase, Anthropic, OpenAI for non-Restricted ops, Stripe, Knock, Sentry), (b) regulators on legal request after legal review, and (c) other LynQX users only via the matching and engagement flows you initiate. We never sell your data.
5. International transfers (GDPR)
For EU data subjects, we honor data residency: data is stored in the EU on EU plans, and cross-region movement is blocked at the Compliance Sentinel layer. Standard Contractual Clauses are available where transfers are necessary.
6. Your rights
- Access — full export at
/account/data-exportwithin 30 days. - Rectification — edit most fields in-product; admin path for the rest.
- Erasure — hard delete on request. Audit-log retention overrides only with a legal basis (typically 7 years).
- Portability — JSON export; W3C Verifiable Credentials in Phase 3.
- Objection — opt out of agent-driven matching at any time.
7. Retention
Account data: for the life of the account + 90 days. Audit logs: 7 years. Engagement records: 7 years for tax / dispute purposes. Detailed retention schedule in the DPA.
8. Security
TLS 1.3 in transit, AES-256 at rest. Field-level encryption (libsodium, key in AWS KMS) on sensitive fields. Three layers of tenant isolation (Supabase RLS, Postgres role, application). Annual third-party penetration tests. Continuous monitoring. SOC 2 Type II in observation; full report available under NDA.
9. Cookies
See our Cookie Policy for the specific cookies we set. Functional cookies only by default; analytics with consent.
10. Children
LynQX is not for users under 18. Onboarding requires age confirmation. No exceptions.
11. Changes
We’ll notify all account holders by email at least 30 days before material changes take effect. Historical versions are kept and available on request.
12. Contact
Privacy questions, DSR requests, or DPA: privacy@lynqx.com. For security issues: security@lynqx.com.